nixfiles/presets/nixos/server-encrypted-drive.nix

{
  config,
  tree,
  ...
}: {
  imports = with tree; [profiles.sshd];

  config.boot = {
    loader.systemd-boot.enable = false;

    loader.grub = {
      enable = true;
      efiSupport = false;
      enableCryptodisk = true;
      device = "/dev/sda";
    };

    initrd.availableKernelModules = [
      "nvme"
      "ahci"
      "xhci_pci"
      "virtio_pci"
      "sd_mod"
      "sr_mod" # For Storage
      "virtio_net" # For Hetzner VMs Networking

      # For Cryptography
      "aesni_intel"
      "cryptd"
    ];

    loader.supportsInitrdSecrets = true;
    initrd.luks.forceLuksSupportInInitrd = true;
    initrd.network = {
      enable = true;
      ssh = {
        enable = true;
        port = 22;
        authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
        hostKeys = ["/ssh_host_ed25519_key"];
      };
      postCommands = ''
        echo 'cryptsetup-askpass' >> /root/.profile
      '';
    };

    initrd.secrets = {
      "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";
    };

    initrd.luks.devices = {
      "nixos_unencrypted" = {
        device = "/dev/sda3";
        preLVM = false;
        allowDiscards = true;
      };
    };
  };

  config.fileSystems = {
    "/" = {
      device = "/dev/mapper/nixos_unencrypted";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/sda2";
      fsType = "vfat";
    };
  };
}
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`{`
			`config,`
updates (untested) 2023-02-13 11:33:33 +00:00			`tree,`
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`...`
			`}: {`
fix rclone sync on b2, add extraArgs, fixed misskey media sync 2023-03-25 09:33:20 +00:00			`imports = with tree; [profiles.sshd];`
updates (untested) 2023-02-13 11:33:33 +00:00
add encrypted server profile and move vault to it 2022-12-14 12:04:21 +00:00			`config.boot = {`
			`loader.systemd-boot.enable = false;`

			`loader.grub = {`
			`enable = true;`
			`efiSupport = false;`
			`enableCryptodisk = true;`
			`device = "/dev/sda";`
			`};`

			`initrd.availableKernelModules = [`
			`"nvme"`
			`"ahci"`
			`"xhci_pci"`
			`"virtio_pci"`
			`"sd_mod"`
			`"sr_mod" # For Storage`
			`"virtio_net" # For Hetzner VMs Networking`

			`# For Cryptography`
			`"aesni_intel"`
			`"cryptd"`
			`];`

			`loader.supportsInitrdSecrets = true;`
			`initrd.luks.forceLuksSupportInInitrd = true;`
			`initrd.network = {`
			`enable = true;`
			`ssh = {`
			`enable = true;`
			`port = 22;`
			`authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;`
			`hostKeys = ["/ssh_host_ed25519_key"];`
			`};`
			`postCommands = ''`
			`echo 'cryptsetup-askpass' >> /root/.profile`
			`'';`
			`};`

			`initrd.secrets = {`
			`"/ssh_host_ed25519_key" = "/ssh_host_ed25519_key";`
			`};`

			`initrd.luks.devices = {`
			`"nixos_unencrypted" = {`
			`device = "/dev/sda3";`
			`preLVM = false;`
			`allowDiscards = true;`
			`};`
			`};`
			`};`

			`config.fileSystems = {`
			`"/" = {`
			`device = "/dev/mapper/nixos_unencrypted";`
			`fsType = "ext4";`
			`};`
			`"/boot" = {`
			`device = "/dev/sda2";`
			`fsType = "vfat";`
			`};`
			`};`
			`}`